Crypto Broker FPG Exploited to the Tune of $20 Million

Following a security breach that took place on Sunday, Floating Point Group – a crypto broker with $50 billion in assets under management whose primary clients are institutional investors – said it lost somewhere between $15-20 million and counting.

Investigation Underway

Clients were recently notified of the breach via email, saying all operations on the platform were temporarily suspended until the investigation is concluded in a satisfactory manner “out of an abundance of caution.” According to a spokesperson for the company, updates on the situation will be few and far between, as the FBI and DHS are both allegedly involved.

“We are working with the FBI, the Department of Homeland Security, our regulators, and Chainalysis to understand how this occurred and to recover assets. As this is an ongoing investigation with law enforcement, we cannot share specifics at this time.”

For now, deposits, withdrawals, and trading are locked, with no estimated restart date.

2/5 Our account segregation limited the overall impact of the attack. We have ceased trading, deposits, and withdrawals, out of an abundance of caution. Finally, we have notified law enforcement and are actively cooperating with them on this matter.

— Floating Point Group (@fpgcrypto) June 14, 2023

FPG then took to Twitter to notify the crypto community at large of the breach, albeit with locked replies.

Cybersecurity Measures Allegedly Mitigated Some Damage

According to a spokesperson for the company, FPG’s internal compartmentalization of accounts limited the scope of the attack.

This wording could hint at a phishing attack in which the login credentials for minor administrators were used to empty the accounts of clients whose funds were being managed by said administrator. In this case, the investigation in progress is probably focused on discovering just how many sets of credentials may be compromised.

It’s worth noting that FPG regularly performed both internal and external audits. Late last year, both CertiK and Prescient Assurance conducted an external audit of FPG’s cybersecurity measures. The firm was awarded a SOC 2 Type 1 certificate, acknowledging its commitment to a robust cybersecurity environment.

“FPG has received today a SOC 2 Type 1 certification. We have implemented continuous security and compliance monitoring with a suite of enterprise tools to enable ongoing assessment of infrastructure, technology, and employees to reinforce and uphold a commitment to serving customers and protecting their digital assets.“

Unfortunately, these measures were not stringent enough, as hackers still found a way to breach their systems and make off with a serious amount of stolen crypto.